* hotfix: hardcode list of currencies to workaround failing API calls
See https://github.com/spiral-project/ihatemoney/issues/1232 for a discussion on currencies
* Temporarily disable some currency operations to prevent crashes
Here is what is disabled:
- setting or changing the default currency on an existing project
- adding or editing a bill with a currency that differs from the default
currency of the project
---------
Co-authored-by: Baptiste Jonglez <git@bitsofnetworks.org>
- replace setUp/tearDown with pytest fixtures
- rename test classes to use the pytest convention
- use pytest assertions
Co-authored-by: Glandos <bugs-github@antipoul.fr>
* Translated using Weblate (Spanish)
Currently translated at 100.0% (276 of 276 strings)
Translated using Weblate (Spanish)
Currently translated at 47.4% (131 of 276 strings)
Co-authored-by: Kamborio <Kamborio15@users.noreply.hosted.weblate.org>
Translate-URL: https://hosted.weblate.org/projects/i-hate-money/i-hate-money/es/
Translation: I Hate Money/I Hate Money
* Translated using Weblate (Spanish)
Currently translated at 100.0% (276 of 276 strings)
Translated using Weblate (Spanish)
Currently translated at 100.0% (276 of 276 strings)
Co-authored-by: gallegonovato <fran-carro@hotmail.es>
Translate-URL: https://hosted.weblate.org/projects/i-hate-money/i-hate-money/es/
Translation: I Hate Money/I Hate Money
---------
Co-authored-by: Kamborio <Kamborio15@users.noreply.hosted.weblate.org>
Co-authored-by: gallegonovato <fran-carro@hotmail.es>
Adds two configuration parameters that are passed to
generate_password_hash:
- PASSWORD_HASH_METHOD
- PASSWORD_HASH_SALT_LENGTH
The unit tests use high-speed low-security values and
gain 50% speed.
Also move the "invitation link" option first, because it's the preferred
way to give access to people that only need to handle participants and
bills.
Sharing the identifier and private becomes the last option, because it
gives full access to changing settings.
This is something we had documented in our security documentation [1], but
we didn't actually do it...
As mentioned in [1], this has good security properties: you can invite
somebody with an invitation link, and they will be able to access the
project but not change the private code (because they don't know the
current private code).
This new check also applies to all other settings (email address, history
settings, currency), which is desirable. Only somebody with knowledge of
the private code can now change these settings.
[1] https://ihatemoney.readthedocs.io/en/latest/security.html#giving-access-to-a-project
`self.assertTrue(200, resp.status_code)` style are always True
and thus are useless. It looks like the original author wanted
`self.assertEqual` there instead.
The 404 page crashes when the user is logged in:
File "/home/zorun/code/ihatemoney/ihatemoney/templates/404.html", line 1, in top-level template code
{% extends "layout.html" %}
File "/home/zorun/code/ihatemoney/ihatemoney/templates/layout.html", line 124, in top-level template code
{{ g.logout_form.hidden_tag() }}
File "/home/zorun/venv/py3-ihatemoney/lib/python3.9/site-packages/jinja2/environment.py", line 474, in getattr
return getattr(obj, attribute)
jinja2.exceptions.UndefinedError: 'flask.ctx._AppCtxGlobals object' has no attribute 'logout_form'
This is because the logout form is defined by a URL processor, and this
does not seem to apply for all pages.
To solve this, simply skip the logout form if it's not defined.
